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• Naming Fingerprints 

• Simple Keywords 

• Boolean Logic 

• Variables 

• Context-Sensitive 
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Fingerprints 101 



.1- 



• What’s in a name? 



• The XKS Fingerprint naming convention 
can help organize fingerprints and make 
searching easier so its important to make 
sure you name your fingerprint inline with 
the existing convention 
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What's in a name 




• For example, fingerprint names look like this: 

• encryption/archive/rar 

• encryption/archive/pkzip 

• encryption/archive/pkzip 

• Notice the directory-like structure so that all 
encryption fingerprints are within the same 
“folder” and all encryption/ archive fingerprints 
are within the same “folder” 
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What's in a 



name 



• This allows for smarter searching because 
you could look for all encryption 
fingerprints by searching for encryption/* or 
search for all encryption/archive 
fingerprints by searching for 
encryption/archive/* and etc. 
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What's in a 



name 



• When you want to submit a new fingerprint, 
look to see if it would fit into any existing 
fingerprint folders. 

• Best way to do this is to use either the “Field 
Builder” or “Tree Field Builder” next to the 
AppID+Fingeprints field in the search forms 



AppID 

(+Fingerprints) F fulltext l: 



I [ Populate with Field Builder l 
I ^ [ Populate with Tree Field Builder l 
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What's in a 



name 



• The field builders allow 
you to browse existing 
fingerprint directories to 
see if one already exists for 
your new fingerprint 



, Field Builder 




■J Add IP i ring erprintg'^ 




Q Applications 




|> Qct_mo 




. : I> |^GPS_tracking 




^1 HTML5_<reoltJCJtion 




1 i> QiCBtUi 




'!■ Cl°UAMTUM0DT 




fr Qtao 




Q advsrtissment 




!> ^ afghan moi 




' !> Q a r a lyti cs 

1^ 1 a r fi 




■ !r^ a n 0 

!> Q arorymizer 
i> antivirus 




>CDapp 
i> ^ application 




.> ^3 3p pli cations 




^1 associate d_£eE£i or 




> ba cttdoor 

:> Q t>a d^doors 




Qt>log 




i> Q tctnet 

i i' : 


L 
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TOP SECRET STRAPi 




p r i ntdirec^ 



Field Builder 




Field Builder 



AppID (+Flngerpmts) 



top ic/w md/iran/ir is I 






I i TV« ■ m IT 



top ic/w md/iran/ir is 

■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■I 

top ic/w md/iran/ir is 
tap ic/w md/iran/ir is 
tap ic/w md/iran/ir is 
tap ic/w md/iran/ir is 
tap ic/w md/iran/ir is 
tap ic/w md/iran/ir is 



/edil/chat_body 

■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ 

/edil/dQcument_body 

/edil/email_body 

/edil/filename 

/edil/urljsath 

/edi2 

/edi3 



mojahe 



i ULi I i UU i i 



iiuunuunuji UUiiTWVrWUV\WT\ftAnVUU"^ i Uli l i UU i i 



iiuunuunuji UULiTWVrVUUV\WT\nrmyU^^ iULiliUUiiLiUilLiLrilUUilUUlV>- 



encryption/mo jaheden2 



encryption/mo jaheden2/encodedheader 
encryption/mo jaheden2/hidden 
encryption/mo jaheden2/hidden2 
encryption/mo jaheden2/hidden44 
encryption/mo jaheden2/secure_file_encoded 
encryption/mojaheden2/securefile 



Field Builder 



AppID (+ Fingerprints) 



botnel/blackl 



i bQtneVblackenergyboVcommand/die 



botnetyblackenergybot/cammand/flDod 

botneVhlackenergyboVcommand/icmp 

bDtnet/blackenergybot/command/stap 

bQtneVblackenergyboVcommand/syn 

bDtnet/blackenergybot/command/wait 
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What's in a 



name 



• If no existing directory makes sense for your 
fingerprint, you can always create a new 
one. 
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Fingerprints 101: Getting Started 

• The first step is to define the name of the 
fingerprint, 

• To do that, follow the syntax below: 
fingerprint(‘encryption/archive/test_new’) = 
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Fingerprints 101: Getting Started 



• Note that fingerprint names can not have 
spaces or any other punctuation other than 
/ which denote directories and _ which can 
be used in the place of spaces to make 
fingerprint names easier to read 

• fingerprint ( encryptio n /archive / test_ne w’ ) 
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TOP SECRET STRAPi 




• As an example, let s say we want to fingerprint 
traffic like this : 



. 




Mar 3DDP i ^jti 

Ljl99 l^L^JLiJULlJI 



[5 tcv^sti ^ j_^ _l^ tawab 



Ld:.jiiuciJI 



■^1 Q I 



i^ljjal 



### Begin A3RAR El Mojahedeen v2.0 Encrypted Message 
r/RgTzT/ATRnN2E1Zjg1 DWQyNWRjMmE2ZTdlNzZmZDhlODUJcZWZhMDQ1 Mj YwMjViZGUO 
ZGYwMjdkMmJmNTA4ZDY2YjkQMGU2NGNiYjg6MzNjZTc5MThjY2Y1ZmY5MTgzZDIkYjhjMTE 
x0GYzYjc1ZDdiMDAihrTQzZmVINDVIY2YyMGJjYjU20DkyYjdmYjFjYjAzMWM5ZDQ20WFIMzg 
4NThhM2l1 WljcSODkzZGNhOGRmNWJmNjVIZjQOMjMxNDMaMDIyO Tg1 MmRjMGJiNGNkYTN 
kYTg4MzMxZjRiN2FiNjl3MjE1NGI3MTA3ZDQ4NWRmYzMyOTUzZjZlMjg3NjQ10GQ4MTA3N 
TU2N2ZkN2ZjYzUzYzYyMiFIODAwN2VkM2U6MTZiNDY2MmM2ZrrVIYjQ2Yzl0OGQ2ODUxNW 
VkMJI2MWVINDAyOGIDMThkMTdhNTY1YzliMDgyOGZIM2lwZWZJMDgwM2U4MzNINDg10D 
UxZTc40Dc1MTY2M2IONjU5Z5BhZjVhNjkOOTIhNGExOThmYWVINmFIZjlyNmMwZDA3MDMO 
NjJkZDhhMml4ZmRhVjc3NmZINDFk0DkyYjBhV]Y3MDO1OGVIMj dhYmUwZTIyNGIxYmOyZDIz 
ZjMM2E6ZGQ6NmNhZDQxaTM4NTI0Mjc3MzBIOWEwZWE1Njk3YjgxY2ViNTQ1OWULnoiA/D 
ULIjTEuDJqneOGMRHesi/3PTnZja2yqbmKbFklPjwMhe7FUhFAOw74S+i+PokOREo6XhdP+y9 

/ 

Gul3juYTvriE0iGx20sSfWS5kfRXXH1DaTnb70yLifear^mMIQ6 

e6E08RUIdU6YVupz0hhgd4Dof 

SBbFR3OvgOS+pUxDYgmEOr/RA+fYi47tuHQMh+dynZc|QspNclmRUmhiEpFqF03sPHS/10injqo 

e1Gsre+xr52XE2qJWdnU+4XJWnmsVNAJi/2nsL+s2TG1IHbgocmpQoxy0B0SXPcR\/J+2JekV3T 

k1XyOWZk9YH+DV3aWYPXti-ym-hwGOXNTqPHIU1JWAZql2NK/cSXi9DMtCtcb0czRj6G9IXvJ9 

Eny7t06xPd9BGioaM+3QLiUkZHLEtrkJiAvgvB6R/X/3whBqk6zMHQLfo+VJcX9umW5mRtgCjz3 

PW6lzzFCGbB4SK4PxTB2ZCDB2kWD8VMyNffrlsTG4XUesgx47Ncl6xML8w5pJffZwKNK+EfKIP 

==Z1ow2SA9N3uLIXBX62LhOyj/1iqfJ2FNR7AIONSEjwKoggVmkxDiuGaQi+TurpxBgat1g 



Mi End A3RAR El Mojahedeen v2.0 Encrypted Message 



□ 









i Ji -^-^1 

. ^ . ' I ' AL&JI . ja 5 j 

Ljl-|jJdl , jaSj 



Jl 



. ITI ..nil cr. 1 \^ 



'^11 I 



■ m ■ '^1 



ll-LpaoJI , jA^ 












--iLSjl 






-LflJ iLjOuoJ I 



p_^IcjoJI 






I"il r.ll 



L .oijdl 



iLuLjiJI 



ujJI 










1 l^ihvinfi 1 Tfin^ 




in HirIriRi 














Fingerprints 101 

One thing that could be used to find data like 

this is the string ASRAR E 1 Mojahdeen V2.0 Encrypted Message 






JJi -^-^1 

. ^ . I I I ^i&JI . 

Lj|-|jJdl , jASj 



^\JJ\ Jl 



. ITI ..nil cr. 1 \^ 

'^11 ■■'. I 

■ m ■ '^1 

::l-LlaoJl , jA^ 









--iLSjl 



■-r.il p .,>.lrrtll 

-LflJ iLjOuoJ I 
P_^IcjoJI 



I"il -();.■ r.ll 



■ LuLjiJI ^ 

ujJI ^:^LUJ^JI 









1 l^ihvinfi 1 Tfin^ 




in HirIriRi 










. I'AjjLj' ^Luifj 




Mar SDD7 ; ^jti 

Ljl99 I ^ L^JLiJULlJ I 



[5 tcv^sti ^ j_^ _l^ tawab 

Ld:.jiiuciJI 



m BegilASRAR El Mojahede&n v2.0 Encrypted Messagl#!^# 
r/RgTzT/ATRHN2E1ZJg1 uwQyNWRj AiiiiiilUiiniiiiiiiUliaia^^ 
ZGYwMjdkMmJmNTA4ZDY2YjkQMGU2NGNiYjg6MzNjZTc5MThjY2Y1ZmY5MTgzZDIkYjhjMTE 
x0GYzYjc1ZDdiMDAihrrQzZmVINDVIY2YyMGJjYjU20DkyYjdmYjFjYjAzMWM5ZDQ20WFIMzg 
4NThhM2l1 WljcSODkzZGNhOGRmNWJmNjVIZjQOMjMxNDMaMDIyO Tg1 MmRjMGJiNGNkYTN 
kYTg4MzMxZjRiN2FiNjl3MjE1NGI3MTA3ZDQ4NWRmYzMyOTUzZjZlMjg3NjQ10GQ4MTA3N 
TU2N2ZkN2ZjYzUzYzYyMiFIODAwN2VkM2U6MTZiNDY2MmM2ZTVIYjQ2Yzl0OGQ2ODUxNW 
VkMJI2MWVINDAyOGIDMThkMTdhNTY1YzliMDgyOGZIM2lwZWZJMDgwM2U4MzNINDg10D 
UxZTc40Dc1MTY2M2IONjU5Z5BhZjVhNjkOOTIhNGExOThmYWVINmFIZjlyNmMwZDA3MDMO 
NjJkZDhhMml4ZmRhVjc3NmZINDFk0DkyYjBhV]Y3MDO1OGVIIVtj dhYmUwZTIyNGIxYmOyZDIz 
ZjMM2E6ZGQ6NmNhZDQxaTM4NTI0Mjc3MzBIOWEwZWE1Njk3YjgxY2ViNTQ1OWULnoiA/D 
ULIjTEuDJqneOGMRHesi/3PTnZja2yqbmKbFklPjwMhe7FUhFAOw74S+i+PokOREo6XhdP+y9 

/ 

Gul3juYTvriE0iGx20sSfWS5kfRXXH1DaTnb70yLifear^mMIQ6 

e6E08RUIdU6YVupz0hhgd4Dof 

SBbFR3OvgOS+pUxDYgmEOr/RA+fYi47tuHQMh+clynZc|QspNclmRUmhiEpFqF03sPHS/10injqo 

e1Gsre+xr52XE2qJWdnU+4XJWnmsVNAJi/2rsL+s2TG1IHbgocmpQoxy0B0SXPcR\/J+2JekV3T 

k1XyOWZk9YH+DV3aWYPXti-ym-hwGOXNTqPHIU1JWAZql2NK/cSXi9DMtCtcb0czRj6G9IXvJ9 

Ery7t06xPd9BGioaM+3QLiUkZHLEtrkJiAvgvB6R/X/3whBqk6zMHQLfo+VJcX9umW5mRtgCjz3 

PW6lzzFCGbB4SK4PxTB2ZCDB2kWD8VMyNffrlsTG4XUesgx47Ncl6xML8w5pJffZwKNK+EfKIP 

==Z1ow2SA9N3uLIXBX62LhOyj/1iqfJ2FNR7AIONSEjwKoggVmkxDiuGaQi+TurpxBgat1g 



■^1 Q I 



iJbuo 



Mi End ASRAR El Mojahedeen v2.0 Encrypted Message 
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Fingerprints 101: Keywords 

• So let’s create a fingerprint to tag any data 
that contains that string 

ASRAR El Mojahdeen V2.0 Encrypted Message 
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. 1 - 



Fingerprints 101: Keywords 

• First we’d define the fingerprint with a 
name: 

fingerprint(‘encryption/mojahdeen2’) 
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. 1 - 



Fingerprints 101: Keywords 

• Then, simply put the string in single quotes 
to denote that XKS needs to look for it as a 
keyword: 

fingerprint(‘encryption/mojahdeen2’) = 

‘ASRAR El Mojahdeen v2.o Encrypted Message’ 
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. 1 - 



Fingerprints 101: Keywords 

• Finally, all fingerprint definitions need to 
end with a semi colon to tell XKS that the 
definition is finished 

fingerprint(‘encryption/mojahdeen2’) = 

‘ASRAR El Mojahdeen vi.o Encrypted Message 
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Fingerprints 101: Keywords 



• Using the fingerprint GUI on XKS Central, we can 
test to see if this compiles: 



~Fingerprinl Validation / Submittal 



Step#1 


Step #2 


' Step #3 


JIHl ! 

Igl iCompilsi 


Against Session Data 


H Save 


1 


T 





Signature 



fingerprint ( ’ encrypti on/rtio j ahd een2 ' ) 
El Moj ahdeen v2 . 0 Encrypted Message'' 



Help 



= ■'ASRAR 



Success! 



Results 



SUCCESS! 



Congratulations, your fingerprint was successfully compiled! 

Wow use the Test button to run it against the designated session data. 





Fingerprints 101 

Once checked in, the fingerprint will hit on 
data like this : 



. 




Mar 3DD7 ; ^jti 

Ljl99 I ^ L^JLiJULlJ I 



[5 tcv^sti ^ j_^ _l^ tawab 

Ld:.jiiuciJI 



m BegilASRAR El Mojahede&n v2.0 Encrypted Messagl#!^# 
r/RgTzT/ATRHN2E1ZJg1 uwQyNWRj 

ZGYwMjdkMmJmNTA4ZDY2YjkQMGU2NGNiYjg6MzNjZTc5MThjY2Y1ZmY5MTgzZDIkYjhjMTE 
x0GYzYjc1ZDdiMDAihrrQzZmVINDVIY2YyMGJjYjU20DkyYjdmYjFjYjAzMWM5ZDQ20WFIMzg 
4NThhM2l1 WljcSODkzZGNhOGRmNWJmNjVIZjQOMjMxNDMaMDIyO Tg1 MmRjMGJiNGNkYTN 
kYTg4MzMxZjRiN2FiNjl3MjE1NGI3MTA3ZDQ4NWRmYzMyOTUzZjZlMjg3NjQ10GQ4MTA3N 
TU2N2ZkN2ZjYzUzYzYyMiFIODAwN2VkM2U6MTZiNDY2MmM2ZTVIYjQ2Yzl0OGQ2ODUxNW 
VkMJI2MWVINDAyOGIDMThkMTdhNTY1YzliMDgyOGZIM2lwZWZJMDgwM2U4MzNINDg10D 
UxZTc40Dc1MTY2M2IONjU5Z5BhZjVhNjkOOTIhNGExOThmYWVINmFIZjlyNmMwZDA3MDMO 
NjJkZDhhMml4ZmRhVjc3NmZINDFk0DkyYjBhV]Y3MDO1OGVIIVtj dhYmUwZTIyNGIxYmOyZDIz 
ZjMM2E6ZGQ6NmNhZDQxaTM4NTI0Mjc3MzBIOWEwZWE1Njk3YjgxY2ViNTQ1OWULnoiA/D 
ULIjTEuDJqneOGMRHesi/3PTnZja2yqbmKbFklPjwMhe7FUhFAOw74S+i+PokOREo6XhdP+y9 

/ 

Gul3juYTvriE0iGx20sSfWS5kfRXXH1DaTnb70yLifear^mMIQ6 

e6E08RUIdU6YVupz0hhgd4Dof 

SBbFR3OvgOS+pUxDYgmEOr/RA+fYi47tuHQMh+clynZc|QspNclmRUmhiEpFqF03sPHS/10injqo 

e1Gsre+xr52XE2qJWdnU+4XJWnmsVNAJv2rsL+s2TG1IHbgocmpQoxy0B0SXPcR\/J+2JekV3T 

k1XyOWZk9YH+DV3aWYPXti-ym-hwGOXNTqPHIU1JWAZql2NK/cSXi9DMtCtcb0czRj6G9IXvJ9 

Ery7t06xPd9BGioaM+3QLiUkZHLEtrkJiAvgvB6R/X/3whBqk6zMHQLfo+VJcX9umW5mRtgCjz3 

PW6lzzFCGbB4SK4PxTB2ZCDB2kWD8VMyNffrlsTG4XUesgx47Ncl6xML8w5pJffZwKNK+EfKIP 

==Z1ow2SA9N3uLIXBX62LhOyj/1iqfJ2FNR7AIONSEjwKoggVmkxDiuGaQi+TurpxBgat1g 



■^1 Q I 



iJbuo 



Mi End ASRAR El Mojahedeen v2.0 Encrypted Message 



□ 









i Ji -^-^1 

. ^ . ' I ' AL&JI . ja 5 j 

Ljl-|jJdl , jaSj 



Jl 



. ITI ..nil cr. 1 \^ 



'^11 I 



■ m ■ '^1 















--iLSjl 






-LflJ iLjOuoJ I 



p_^IcjoJI 






I"il r.ll 



L .oijdl 



iLuLjiJI 



ujJI 










1 l^ihvinfi 1 Tfin^ 




in HirIriRi 















Fingerprints 101 



1 

1 



•Asa second example, let s say we want to find 
data like this: 





Using TXT formatter 




i 




, A. 

Ref: June 07, 201000S03/Q-02 135 IsiamaJoad: ^ — 

National Development. Complex 
Plot No :^^^^^Street No: 

Sector : 

Is lamaload, 
ilttn: 

in Purchase 

SUBJECT : QUOTATION AGAINST YOUR ENQUIRY REF : Purchase of RTV Silicon DATED: 

ie/05/2010 

Dear Sir^ 

Uith reference to your subject enquiry^ we are pleased to enclose our Quotation No: Q-02 135-05-567 “ 

dated: 07/06/2010^ for your perusal. 

Please see the 'Terms of Sale' attached with our quote for any further details. 

HJe hope our offer suits your requirements and we look forward to your valuable purchase order in due 
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Fingerprints 101 



1 

1 



• Look for keywords that could be used to find 
traffic like this in the future. 





Using TXT formatter 




i 




, A. 

Ref: June 07, 201000S03/Q-02 135 IsiamaJoad: ^ — 

National Dave lopiuent Cotripiax 
Plot No No : 

Sector : 

Islai^aioad. 

ilttn: 

in Purchase 

SUBJECT : QUOTATION AGAINST YOUR ENQUIRY REF : Purchase of RTV Silicon DATED: 

ie/05/2010 

Dear Sir^ 

Uith reference to your subject enquiry^ we are pleased to enclose our Quotation No: Q-02 135-05-567 “ 

dated: 07/06/2010^ for your perusal. 

Please see the 'Terras of Sale' attached with our quote for any further details. 

HJe hope our offer suits your requiueraents and we look forward to your valuable purchase order in due 
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Fingerprints 101 



1 

1 



• What if we looked for “National Development 
Complex” and “Quotation” 



i 



Using formatter 




Development. CompJj 




Sector : 
Islam aijad. 
ilttn: 



IsiamaJoad: 



SUBJECT :|qU0TATI0M IgAINST YOUR ENQUIRY REF : Purchase o± RTV Silicon DATED: 

16/ Q5/ 2 Q 
Dear Sir^ 

With reference to your subject enquiry^ we are pleased to enclose our Quotation No: Q-02 135-05-567 
dated: 07/06/2010^ for your perusal. 

Please see the 'Terras of Sale' attached with our quote for any further details. 

HJe hope our offer suits your requiueraents and we look forward to your valuable purchase order in due 









. 1 - 



Fingerprints 101 



Boolean Logic 



• Starting with these two keywords, we’d like 
to use Boolean Logic to create our new 
fingerprint 



• national development complex 

• quotation 
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Fingerprints 101 



Boolean Logic 



• Again, step one think of a name : 



fingerprint (‘cp/pakistan/ agencies/ ndc’) 
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Fingerprints 101 



Boolean Logic 



• Step two, put single quotes around all 
keywords: 

fingerprint (‘cp/pakistan/agencies/ndc’) 
‘National Development Complex’ 
‘quotation’ 
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Fingerprints 101 



Boolean Logic 



• Use the Boolean operator and 



fingerprint (‘cp/pakistan/ agencies/ ndc’) 
‘National Development Complex’ and 
‘quotation’ 
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Fingerprints 101 



Boolean Logic 



• Finish the expression with the semi-colon. 



fingerprint (‘cp/pakistan/ agencies/ ndc’) = 
‘National Development Complex’ and 
‘quotation’ ; 
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Fingerprints 101: Boolean Logic 

' Use the fingerprint GUI to confirm the 
fingerprint definition compiles 



Fingerprint V-alid-ation / Submittal 





Ste p #2 

Te^ Against Session Data 


Step #3 

H Sdue 


l^pjl ICompilel 






Help 



Signalure 



fingerprint ( ^ cp/p akistan/ agencies/ ndc ^ ) 
^national development complex^ and 
' quotation’ ; 



o 

^1 



Slccsss! 



Results 



SUCCESS! 

Congratulations^ your fingerprint was successfully compiled! 

Now use the Test button to run it against the designated session data. 



1 yjr .jJLv^ivc i / i i 







Fingerprints 101 



• This fingerprint will now successfully find all 
sessions like this in the future ! 






Jsinq TXT formatter 



I DevelQj 



iQpment- 
Street- 



Corn 

Mo 







Ref: June 07^ £01000803/ Q-02 135 Isiaiiiataad: 
Uat ionai 
Plot Mo 
Sector : 

IslairiE 
Attn : 

AH Purchase 




SUBJECT : QUOTATIOTJ AGAIMST YOUR ENQUIRY REF: Purchase of RTV Silicon DATED: 

13/ 05/ 2 010 
Dear Sir^ 

Uith reference to your cobject enquiry^ we are pleased, to enclose our Quotation Wo: Q-02 13 5-05-5 67 
dated: 07/06/2010^ for your perusal. 

Please see the 'Terms o± Sale' attached with our quote for any further details. 

TUe hope our offer suits your requirements and we look forward to your valuable purchase order in due 
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Fingerprints 101 



• However, how can we account for variations of how 
the traffic might be seen? Maybe “National 
Development Complex” will be listed as “NDC”. Or 
maybe instead of a “Quotation” it will be a “Invoice” 



and etc. 






Jsinq TXT formatter 

Ref: June 07^ £01000803/ Q-02 135 Isiaiiiataad: 

Uationai Development- Comp lew 
Plot rJo : 

Sector : 

Islainab ad. 

At-tn: 

AH Purchase 

SUBJECT : QUOTATION AGAINST YOUR ENQUIRY REF: Purchase of RTV Silicon DATED: 

13/ 05/ 2 010 
Dear Sir^ 

Uith reference to your cobject enquiry^ we are pleased, to enclose our Quotation Wo: Q-02 13 5-05-5 67 
dated: 07/06/2010^ for your perusal. 

Please see the 'Terms o± Sale' attached with our quote for any further details. 

TUe hope our offer suits your requirements and we look forward to your valuable purchase order in due 
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Fingerprints 101 



Boolean Logic 



• Keywords can also be grouped together by 
parentheses to form more complex Boolean 
logic: 
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Fingerprints 101 



Boolean Logic 



• For example, we can expand on our previous 
fingerprint like so 

fingerprint(‘cp/pakistan/agencies/ndc’) = 

(‘National Development Complex’ or ‘NDC’) 
and (‘quotation’ or ‘invoice’) ; 
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Quick Aside 




Context Sensitivity 



• All keywords in X-KEYSCORE are case- 
insensitive by default. 

• So in the previous fingerprint ‘NDC’ will 
match on ndc, NdC, nDC etc. 
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Quick Aside 




Context Sensitivity 



• If you want to force a keyword to be case 
sensitive, simply append a c after the single 
quotes. 



• Ex: ‘NDC’c will only hit when NDC is found 
in all caps, or ‘ndc c will hit only when ndc is 
found in all lower case and etc. 
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Quick Aside 2 



Keyword Scanning 



• By default keywords in fingerprints can hit in substrings 
since for example ‘ndc’ is found within grandchildren. 

• So this fingerprint 

fingerprint(‘cp/pakistan/agencies/ndc’) = 

‘NDC; 

Will hit on terms like: 

• grandchildren 

• handcard 

• handcuffs 

• etc. 
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• In specific cases to avoid false hits you can use the word' 
context. 

• Or force there to be a space on either or both ends of the term 
by including them inside the single quotes 

• So this fingerprint becomes: 

fingerprint( cp/pakistan/agencies / ndc') = 

‘ NDC 
OR: 

fingerprint( cp/pakistan/agencies/ndc') = 
word('NDC); 
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Fingerprints 101 



Boolean Logic 



• Let’s say that this fingerprint is producing 
good hits, but it also hitting on spam E- 
mails. 



fingerprint(‘cp/ pakistan/agencies/ndc’) = 

(‘National Development Complex’ or ‘NDC’) 
and (‘quotation’ or ‘invoice’) ; 
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Fingerprints 101 



Boolean Logic 



•We can use the Boolean and not to defeat 
unwanted traffic like below: 

fingerprint(‘cp/pakistan/agencies/ndc’) = 

((‘National Development Complex’ or ‘NDC’) 
and (‘quotation’ or ‘invoice’)) and not 
(‘viagra’ or ‘herbal supplement’); 
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Fingerprints 101 



Variables 



• Variables allow you to link to a list of keywords. 

• For example, working with this fingerprint, we 
could create variables to each grouping of terms. 

fingerprint(‘cp/pakistan/agencies/ndc’) = 

((‘National Development Complex’ or ‘NDC’) and 
(‘quotation’ or ‘invoice’)) and not (‘viagra’ or 
‘herbal supplement’); 
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Fingerprints 101: Variables 

Variables use the same syntax as fingerprints 

$NDC_terms = ‘National Development Complex’ 
‘NDC’; 

$procurement_terms = ‘quotation’ or ‘invoice’; 
$spam_defeats = ‘viagra’ or ‘herbal supplement’; 

fingerprint (‘cp / pakistan / agencies /ndc’) = 

($NDC_terms and $procurement_terms) and not 
$spam_defeats; 
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Fingerprints 101 



Variables 



• Variables can be re-used in multiple fingerprints. 

• For example, we could have: 

fingerprint(‘cp/pakistan/ agencies/ ndc’) = 

($NDC_terms and $procurement_terms) and not 
$spam_defeats; 

fingerprint(‘cp/pakistan/ angencies / ndc/ testing’) = 

$NDC_terms and (‘missile launch’ or ‘tactical 
radio’); 
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Fingerprints 101 



Variables 



• In the future, you can modify the 
variable $NDC_terms and it will 
automatically affect both fingerprints 
since they use that variable in their 
definition. 
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• For example, take the first scenario: 

“I want to look for documents from Iran that mention a banned item” 



• Just using keywords with Boolean equations, how could we 
restrict the term to only a document body and only coming 
from Iran? 
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Context Sensitive Scanning 

• X-KEYSCORE s context sensitive scanning engine 
allows you to explicitly say where you want a term to 
hit. 



• As an early example, the Tech Strings in Documents 
capability allowed analysts to restrict terms to only 
Email, Chat or Documents Bodies 



• The full XKS Context Sensitive Scanning engine 
allows for over 70 unique contexts to be used as part of 
an fingerprint 
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Context Sensitive Scanning 

• For example, take the first scenario: 

“I want to look for documents from Iran that mention a banned item” 

• Using the XKS context for Country Code (based on NKB 
information) and the XKS context for Document Bodies, 
this easily becomes: 



fingerprint(‘demo/scenarioi’) = 

cc(‘ir’) and doc_body(‘banned item’) 
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Context Sensitive Scanning 

• As another example, let’s say we want to tag all Iphone usage 

• Using the XKS context for User Agent this easily becomes 

fmgerprint(‘demo/scenario2’) = 
user_agent(‘iphone’); 
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USSID18/HRA 



Considerations 



• XKS Fingerprints may not be USSID18 or HRA 
compliant if they are queried on by themselves 

• For example, we may want to fingerprint the use of 
mobile web devices like the IPhone, so that attribute 
could be used as part of a more complex query. 



• But querying for the IPhone fingerprint itself would 
be a USSID18 and HRA violation. 
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USSID18/HRA Considerations 



• But if you want to look for an IPhone user from 
an Iranian Proxy accessing his Mail.ru account: 



IP Address: 





Either 



AppID 

( + Fingerprints) [fuHte^] ; 



Field Builder 



ApplD (+Fingerprints) 



Field Builder 




AppID (+ Fingerprints) ■■ 


br □ wser /ce 1 Iphone/iphone 




V 


Add to Field 


CIOGG ! 



mail/webmail/mailru 




V 


h m^il/webm^il/mailru 






mai l/web ma i l/ma i Iru/attech ment 






i l/web i l/ma i Ir u/post 
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Context Sensitive Scanning 



What contexts are available for use in XKS Fingerprints? 
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HTTP Activity Contexts (1 of 2) 



htnil_title(expr) 


The normalized extracted text web page titles 
html title('how to' and ‘bomb’) 


http_ho St ( expr) 


The “Host:” name given in the http header. 
http_host(‘yahoo .com’) 


http_url(expr) 


Every URL from HTTP GET and POST commands, 
http_url(7mail/inbox?action=delete’) 


http_url_args(expr) 


All arguments given as part of a URL (ie. all text following the 
‘?’ in a URL string) 

http_url(‘action=delete’) 


http_referer(expr) 


The “Referer:” URL given in the HTTP header 
http_referer(‘http://badwebsite/cp?action=show’) 


http_language(expr) 


The normalized two letter iso-6393 language code as inferred 
from any http and or html header info 

http_language(‘fa’ or ‘de’) 
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HTTP Activity Contexts (2 of 2) 



http_cookie(expr) 


The "Cookie:” field given in the http header, 
httpcooki e(/P R EF=\d\d[a-z]/) 


http_server(expr) 


The "Server:” type name in the http header. 
http_server(‘GWS/2.f or 'Apache’) 


http_user_agent(expr) 


The "User-Agent:” field given in the http header. 
http_user_agent(/MozillaV[45]/ or ‘Chrome’) 


web_search(expr) 


The normalized extracted text from web searches 
web search(‘ricin’ or ‘plague’) 


x_forwarded_for(expr) 


The X- Forwarded For IP address from the HTTP 
Header 

x_forwarded_for(‘i. 2 . 3 . 4 ’) 
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Protocol Contexts 1 of 2 



ip(expr) 


The source or destination IP address of the session 
ipC 127.0.0.1’) 


from_ip(expr) 


The source IP address of the session 
from_ip(‘ 127.0.0.1’) 


to_ip(expr) 


Eveiy URL fi'om HTTP GET and POST commands. 
to_ip(T 27.0.0.1’) 


ip_subnet(expr) 


IP subnet in CIDR notation. 
ip_subnet(‘7.2 11 . 1 43 . 1 48/24’) 


port(expr) 


The source or destination TCP or LDP port nmnber. 
port(’22’) 


from_port(expr) 


The source TCP or UDP port number. 
from_port(’22’) 


to_port(expr) 


The destination TCP or UDP port number. 
to_port(’22’) 



TOP SECRET//COMINT 



TOP SECRET STRAPi 






Protocol Contexts 1 of 2 



cc(expr) 


The country (either to OR Irom) based on IP address 
cc(‘ir or pk’) 


from_cc(expr) 


The source countiy based on TP address 
from_cc(‘ir’ or ‘pld) 


to_cc(expr) 


The destination country based on IP address 
to_cc(1r’ or ‘pk’) 


protocol(expr) 


The textual form of the IP next protocol. 
protocol(‘TCP’) 


next_protocol(expr) 


The textual form of the IP next protocol. 
ip_next_protocol(’ 1 T) 


mac_addre ss ( expr) 


The MAC address of the target network device. 
mac_address(‘00:16:3E;3F:BD:EF’) 
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email_body(expr) 


The UTF-8 normalized text of all email bodies, 
email_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’)) 


chat_body(expr) 


The UTF-8 normalized text of all chat bodies. 
chat_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’)) 


document_body(expr) 


The UTF-8 normalized text of the Office document. - 

Office documents include (but are not limited to) Microsoft Office, Open Office, 
Google Docs and Spreadsheets. 

document_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’)) 


calendar_body(expr) 


The UTF-8 normalized text of all calendars. An example is 
Google Calendar. 

calendar body(‘ wedding’) 


archive_files(expr) 


Matches a list of files from within an archive. For example is 
a ZIP file is transmitted, all names of files within are passed to 
this context. 

archive files(‘bad,dll’ or ‘virus.doc’) 


http_post_body(expr) 


The UTF-8 normalized text HTTP LU’l-encoded POSTs. 
http_post_body( action-send and badguy(@yahoo ) 
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Communication Based Contexts 



Aliases 



do c_email_b o dy ( exp r) 


This covers the email body and document body contexts 

doc_email_body(‘how to’ and 'build' and (‘bomb’ or 
‘weapon’)) 


communication_body(expr) 


This covers the email body, document body and 
chat_body contexts 

chat_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’)) 



A guide to XKS contexts can be found here 
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Context sensitivity 

Why use context-sensitive scanning? 



• More intuitive - you can say what you mean 

• More accurate - if 'maps.google.com' is mentioned in a 
blog post, you don't want to try processing it as a Google 
Maps session 

• Better performance for XKEYSCORE 



TOP SECRET//COMINT 



Examples 



• “I want to look for people doing web searches on Jihad from 
Kabul” 



• Using the from_city() and web_search() context this 
becomes 



fingerprint(‘demo/scenario3’) = 

from_city(‘kabur) and web_search(‘jihad’); 
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Examples 



• “I want to look for people using Mojahedeen Secrets encryption 
from an IPhone” 



• You can even use existing fingerprints in a fingerprint 
definition! So this becomes: 

fingerprint('demo/scenario4’) = 

fingerprint ( encryption / moj ahdeen2' and 
fingerprint(‘browser/cellphone/iphone’) 
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Example 




• “I want to look for E-mails that mention words from various 
categories of interest to CP” 



• You can use multiple variables in an equation like this: 

topic( wmd/acw/govtorgs') = 

email_body($acwitems and $acwpositions and 
($acwcountries or $acwbrokers or $acwports)); 



TOP SECRET//COMINT 




xample 



• $acwitems = 'machine gun' or grenade' or 'AK 47' 

• $acwpositions = 'minister of defence' or 'defense minister' 

• $acwcountries = 'somalia or 'liberia' or 'sudan' 

• $acwbrokers = 'south africa' or 'serbia' or 'bulgaria' 

• $acwports = 'rangood' or 'albasra' or ‘dar es salam' 



topic( wmd/acw/govtorgs') = 

email_body($acwitems and Sacwpositions and 
($acwcountries or $acwbrokers or $acwports)); 
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New Fingerprint GUI 



• New XKS Fingerprint GUI allows analysts to directly 
test, submit and manage fingerprints through the web 



NaviQdtion Menu '<< Fingerprint Validation / Submittal 



Fingerprints 


Step #1 


step #2 


Step #3 


W Help 


Validate / Submit 


'■ .-Compile 


• Test Against Session Data 


H Save 


' ^Approved 




- - - 












I I 


' ^ Pending 


uiooai variaoie ueciaraiions 




|_A I 


1 ^ My Signatures 


Type 0 r 


paste any global VARIABLE DECLARATIONS here. 





Signature 



Type or paste a FINGERPRINT definition here. 



Press Compile when done editing 




New Fingerprint GUI 

NewXKS Fingerprint GUI allows analysts to directly 
test, submit and manage fingerprints through the web 



hinqerprint valicjation ! !ziLibmittal 





Global Variable Declai atkins 



!^Test = 'bomb^ or 'inissle’ or 



Signature 

f in^erprin^ test/ test! ' ) = e:nail body ( $te st ) r 



Results 



congratulatiDns, your finge-frin: ^A/aa successfully compllad! 

Now use the Test button to run it against the cesignated session data. 



Questions? 
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Syntax Rules 



• The definition of the fingerprint will look like this: 

fingerprint(‘test/blah/something’, owner = 

Note the single quotes needed for the fingerprint name 
and owner 
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Syntax Rules 



• Secondly every fingerprint definition must be 
completed by a semi-colon. 



fingerprint(‘test/blah/something’, owner = 

‘badguy’ ; 
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Syntax Rules 



• Variables also must be completed by a semi-colon. 
$badguy = 

‘bomb’ or ‘gun’ or ‘weapon’ ; 
fingerprint(‘test/blah/something’, owner = ‘ 

$badguy; 
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Syntax Rules 



• Definitions and Variables can span multiple lines 

$badguy = 

‘bomb’ or 
‘gun’ or 
‘weapon’ ; 

fingerprint(‘test/blah/something’, owner = 

$badguy; 
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